Report of the work undertaken by the ChatGPT Taskforce

In the recent past, numerous large language models (hereinafter “LLMs”) have emerged for use in various fields. While these models can offer great benefits to the public, processing operations associated with LLMs shall comply with the GDPR. It has to be noted that LLMs are trained and enhanced using a huge amount of data, including personal data. Some of the most popular and widely known LLMs are those in the “GPT” category, since it has been the first consumer-facing model to be launched on 30 November 2022 through the ChatGPT service. Several Supervisory Authorities (hereinafter “SAs”) have initiated data protection investigations pursuant to Article 58(1)(a) and (b) GDPR against OpenAI OpCo, LLC (hereinafter “OpenAI”) as controller for processing operations carried out in the context of the ChatGPT service. In the Plenary meeting of the EDPB on 16 January 2024, the decision was made to specify the mandate of the task force and to publish a report, outlining the interim results of the ChatGPT TF. According to this mandate, the taskforce shall: • Exchange information between SAs on engagement with OpenAI and on-going enforcement activities concerning ChatGPT. • Facilitate coordination of external communication by SAs concerning enforcement activities in the context of ChatGPT. • Swiftly identify a list of issues on which a common approach is needed in the context of different enforcement actions concerning ChatGPT by SAs.